Tuesday, 02 June, 2020

Zoom backtracks on 'legitimate solution' that left Mac webcams vulnerable to highjacking

Zoom backtracks on 'legitimate solution' that left Mac webcams vulnerable to highjacking Zoom backtracks on 'legitimate solution' that left Mac webcams vulnerable to highjacking
Cecil Davis | 11 July, 2019, 10:58

The update also allows users to manually uninstall Zoom.

"Additionally, if you have ever installed the Zoom client and then uninstalled it, you still have a local host web server on your machine that will happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage".

The flaw only affects computers running Apple's MacOS, because Windows computers manage connections in a different way, the report says.

'Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client, ' Zoom says.

In a more detailed public statement, Zoom said admins and users will be able to turn off video if they configure their client video settings, and that preferences from their first Zoom meeting will be saved once they apply its July update. To set up a conference meeting, users must send a web link to the participants to click and participate. In addition, the security researcher found that this same security issue made it possible for any Web page to DOS a Mac user by having that user repeatedly join an invalid call. Zoom was informed of the exploit but said that it did not plan to remove the feature because it was a "legitimate solution" that other service providers have used as well.

Family involved in Disneyland brawl denied it happened
Moments later, the video showed that same man knocks down another woman, accusing her of hitting his mother. A verbal spat into an all-out brawl when a woman in a white shirt spit in a man's face wearing a red shirt.

But now, TechCrunch reports that Apple chose to step in regardless, launching a silent update for Macs that removes Zoom's web server functionality altogether.

"We appreciate the hard work of the security researcher in identifying security concerns on our platform".

This gave attackers the opportunity to put malicious code on websites that connect to the hidden web server (e.g. the Outlook web app). Security best practices generally recommend public disclosure of major threats or vulnerabilities within a 90-day period, and the blog post suggested the company had not acted in a timely manner to protect its customers. Its underhanded and breaches trust boundaries.

"This is a good example of why you should never overlook physical security", said Lamar Bailey, Senior Director of Security at Tripwire.